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1. INTRODUCTION 

Cryptography is a technique developed in data security to ensure that the original message is not 
accessed by an unauthorized person or entity [1]. Hoffstein and colleagues created the Number theory 
research unit (NTRU) cryptosystem in 1996, they looked for an efficient public-key cryptosystem that is 
based on restricted polynomials over polynomial rings [2], NTRU's computational complexity is O (N?) [2]. 
The hard problems make the security of NTRU strong and resistant to both classical and quantum attacks. 
NTRU is most important post-quantum cryptosystems. The security of NTRU is linked to a very difficult 
problem in lattice reduction called the shortest vector problem (SVP) [3], and it is thought that there is no 
polynomial-time algorithm to solve this problem. The main theory used to build the NTRU cryptosystem, 
talk about its classical security as well as its resistance to quantum attacks [4]-[6]. 

In the NTRU cryptosystem, the key generation is more than 200 times faster than in the Rivest- 
Shamir-Adleman (RSA) cryptosystem, and the encryption is almost 3 times faster. The decryption is about 
30 times faster [7] Preliminary results was showed on the working [8]. Some variants of NTRU, like 
Construction Throy Research Unit (CTRU), Quaternionic Theory Research Unit (QTRU), Matrix 
Formulation (MaTRU), Eisenstein Throy Research Unit (ETRU), a noncommutative analogue of NTRU 
(NNRU), Ideal lattices Throy Research Unit ALTRU), and others are called NTRU variants [2]. The NTRU 
cryptosystem is more efficient and may be able to withstand quantum computers in the long run. It's because 
the encryption (or signature) and decryption (or varication) speeds are very fast and only use a small amount 
of space [6]. NTRU is based on reducing the number of lattices. The main attacks on NTRU primitives 
haven't focused on the hard lattice problems for the last 20 years or so. They have instead focused on other 
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things [8]. Shor's Algorithm broke RSA and Elliptic-curve cryptography (ECC) in 1994 [9], which is why 
lattice-based cryptography is so important now. Good understanding of the hard problem Hardware-friendly, 
fast, and able to run in groups [10]. It will be about 15 years before the quantum computer is ready to be used 
[11], Forecasting and improving lattice reduction algorithms is still an active research subject after almost 40 
years [12]. 

So in this paper, will review the NIRU algorithms, most of the improvements that worked on over 
the previous work, review and analyze them, and why they choose for the third round of post-quantum 
cryptography of National Institute of Standards and Technology (NIST) candidates, also this paper 
comparative between NTRU variant especially in public key with efficacy and their security, our contribution 
proposed to find by Searching most of previous studies and trying to answer the question: is quantum 
mechanics use to generate the public key of NTRU algorithm in those studies as a parameter or totally 
generation with eliminate the inverse polynomial?. 


2. RESEARCH METHOD OF NTRU 
The number theory research unit (NTRU) is a collection of mathematical algorithms for 
manipulating lists of very small integers and polynomials [9]. NTRU operations are based on objects in the 


R= <P truncated polynomial ring As a consequence [12], NTRU may achieve high speeds while using 


little computing resources [13]. The NTRU key generation technique requires computing the modular 
multiplicative inverse of F modulo p and q [14], making it the first secure public-key cryptosystem that does 
not depend on factorization or discrete logarithm concerns [15]. Let f, g polynomial of the form: 


f = ay + aX + a2X0! + a3 X1... +an-1XM7t+a X” (1) 


g = agy + qX + a3 X0! + az XJ+... +apn-1XM71+a X” 2) 


and NTRU [16] parameter is shown in detail in Table 1. 


Table 1. Detail of NTRU parameters 


Parameter of NTRU Detail 
N Each truncated polynomial has degree N. 
P Small modulo 
q Large modulo 
T Random polynomial 
m Message 


2.1. NTRU Key generation 

To make public and private keys, first need to find the multiplicative inverse of f mod p and 
g mod q so that the public and private keys match [13], [17]. A polynomial multiplicative inverse is not 
always easy to find. In this case, the extended euclidean algorithm is used to find the greatest common 
divisor (GCD), and then a series of polynomial factorizations are used [13]. 


F,*F=1 (modp) Gp*G=1 (mod p) (3) 
F,*F =1 (modą) Gg*G=1 (mod q) (4) 


Public key[16] H is obtained by using the inverses of the F and G matrices to (mod q) and a random 
polynomial. 


h = F * g mod q (5) 


2.2. Encryption of NTRU 
Sender can transmit an encrypted message to recevier using the NTRU equation and a public key 
[18]: 


e = rh + m(mod q) (6) 


Receiver encrypted message now. Receiver may now transmit e to sender as (6). 
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2.3. Decryption of NTRU 

Reciver wants to decrypt sender message that is received. Then trying to computes the polynomial, 
it defined by the (7) [18]-[20]: 

a = f.(mod q) (7) 
then computes the polynomial b defined by the expression as (8). 

b = a(mod p) (8) 

Finally, receiver computes the polynomial C defined by the expression as (9). 


c = f ,b (mod p) (9) 


The original message m will be represented by this polynomial C. 


3. SUMMARIZE DEVELOPMENT NTRU 

Many non-invertible polynomial NTRU variants exist [21], including CTRU, MaTRU, matrix 
formulation, QTRU, NNRU, ETRU, ILTRU, and others in Table 2 with detail. while some variations suggest 
using polynomial rings with coefficients in other rings or another formula [22]. The work was carried out in 
two phases. The first phase was to prepare an integrated table key generation, encryption, and decryption in 
Table 2. As for the second phase, these improvements were summarized in detail, and work on analyzing 
each of these parts to make this paper the basis for those who want to delve into this wide field in Table 3. 


Table 2. The efficient and provably secure cryptosystem 


NO. Algorithm key Generation Encryption Decryption 

1 NTRU [3] Ic 1C and 1A 2C and 1A 

2 BITRU [3], [23] 8c 8C and 1A 16C and 14 
3 BOTRU [24] 8c 8C and 44, 24Ć and 44 
4 BCTRU [25] 16Ċ 16C and 84 32Ć and 124 
5 QTRU [11], [26] 16Ċ 16C and 44 32Ć and 44 
6 PQTRU [3] 32Ć 32Ć and 44 64Cand 44 

7 NTRS [27] 36C 18Cand 64 45C and 64 
8 NTRSH [28] 54€ 18Cand 64 189C and 6A 
9 OTRU [23] 64. 64C and 84 1024C and 8A 
10 NTRTE [11] 64Ć 6C and 8A 96C and 8A 
11 QOBTRU [23] 64. 64C and 8A 256C and 8A 
12 QMNTR [29] 80 Ć 80C and 44 1088C and 44 
13 QOTRU [30] 80 Ć 32Ćand 84 38Ćand 84 
14 TOTRU [31] 128 É 128C and 164 1536Ć and 164 
15  HXDTRU [3], [32] 256 Ć. 256C and 164 4096Ć and 164 


Table 2 shows C it is the mean convolution multiplication, and A it is the mean polynomial addition 
the addressed algorithms in Table 2 displayed the ratio of convolution in key generation and 
encryption/decryption arranged from low to high security with better efficiency. The increased value of 


convolution made the algorithm more efficient but with the lowest speed encryption-decryption process. 


3.1. NTRU variant 

Table 3 in APPENDIX shows the surmise of previous research in the same algorithm. But different 
in public key or finite field based on year. There is an increment in research done in the NTRU algorithm as 
shown below. 


3.2. Discussion 

Overall the summary show a high level of agreement in the majority of cases of the mechanism of 
encryption/decryption of the NTRU expect their key generation is change of the most previous studies as 
Table 3 shows as many study had been checked in literature finding more information on topic of NTRU 
public key generation where it was found some of NTRU public key development dependent on multi- 
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dimensional others depended on replacing the original ring in NTRU like quaternion algebra or Eisenstein, 
integer algebra and others mathematic algebra. The public key system has been modified and made more 
secure as a result of this change. In this case, an analytical solution cannot be easily obtained when 
comparison between the complexity as increasing but lowest speed of encryption and decryption, in this case 
lead as to ask question how to balance between the complexity of public key and speed of 
encryption/decryption, this question lead as to think a new method of public key generation is presented and 
compared with classical way and try to think is quantum is efficient to solve this problem Research in these 
areas requires studies of topic quantum area. And if the properties of quantum mechanics are used, the degree 
of complexity can be VN , and it is better from the original case is N*. These findings could also be 
applicable in cases of better speed up the time execution. While maintaining or even increasing the 
complexity of the data. The result of the study now provides evidence to it is still open way further thinking 
about the mechanism of evolution, although NTRU was chosen on third round of post quantum cryptography 
and also it resistance to Shor’s algorithm. 


4. CONCLUSION 

NTRU was discovered to have an edge over the method in terms of arithmetic operations since it is 
both quick and requires less storage space. As a result, NTRU has become an extremely ideal alternative for a 
wide range of applications. as this paper has been presented the most of the wide NTRU development 
variants, collected these studies and summarized them to be a basic base for those who want to research 
About the mechanism and how to develop this algorithm, and this is very important for future works, 
especially NTRU since it was chosen from NIST in round 3 of post-quantum cryptography. Also, this paper, 
has founded that quantum mechanics has never been used in generating the public key, as a parameter or 
totally generation with eliminate the inverse polynomial, so this is the answer of the question has been asked 
at the beginning this paper. 


APPENDIX 
Table 3. NTRU Previous work with variant and our analysis 
NO. Algorithm Principle Finite field Public key Attacks Analysis 
Ref /deg 
[33], NTRU It is possible to use NTRU with e Attack on e it speedup than 
[34] Non- non-invertible polynomials to p private key original NTRU 
inveritable extend the capabilities of NTRU iy Z [x] e Brute force This extension avoids 
Encrypt to include non- = — h attack the challenge of 
invertible polynomials as a (e" — 1) =f, e Meet in the finding “enough” 
means of overcoming the Rg * g mod q middle invertible 
difficulty in locating an _ Z,[%] attack polynomials. 
invertible polynomial using (x¥ — 1) é Lattice 
NTRU Encrypt. attack 
[8], C_TRU CTRU develops NTRU encrypt e Private e CTRU is completely 
[25], over a binary finite field F2 that Attack on insecure to meet the 
[35], is safe against Popov normal the key, security criterion for 
[36] form attacks but is entirely e Meet in the valid decryption 
vulnerable to linear algebra- middle e CTRU neither 
based attacks. As a result, H attack, improves Performance 
CTRU has a non-commutative FIT IX) = i i 
> g e Multiple protects linear algebra 
secure variation known as XN—1 /f (mod Q) transmission attacks 
NETRU. attack 
e Attack on 
public key 
using Popov 
normal form 
[16], Ma_TRU MaTRU uses the linear e Brute force e MaTRU's mproved 
[37] transformation of two-sided attack linear transformation 
matrix multiplication to work h e Lattice efficiency results in 
on the ring of k by k matrices of Mx(L)[X] =F xW attack significant speed 
a polynomial in R. MaTRU uses X! — Ikxk : Gmo dq increases of a factor 


the same number of bits per 
message as NTRU Encrypt 
when nk2 = N 


of O(k) over NTRU. 
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Table 3. NTRU Previous work with variant and our analysis (continue) 

NO. Algorithm Principle Finite field , Attacks Analysis 

Ref Jdeg Public key 

[2], GN_TRU NTRU Encrypt over the ring Brute force That the 

[38] of Gaussian integers Z[i] = attack security of 
{a + ib:a,b E Z, i? = —1} NTRU, ETRU, 

Z[i][X] and GNTRU in 
Is proposed by GNTRU. XN—1 h= fq * g modq terms of 
GNTRU is significantly decryption 
more resistant to lattice failure is very 
attacks than NTRU Encrypt similar. 
but is not as efficient. 
[14] Matrix_NTRU Matrix NTRU is the matrix A matrix is only has the 
: formulation of | NTRU invertible when capability of 
[39] Encrypt. This is because the itis determinant transmitting 
7 matrix formulation form is is discovered massive 

[40] more secure when the matrix amounts of 
is invertible or when the MIX] H= data in the 
matrix has a determinant. aoe eure form of 
Additionally, it may verify xn I p"Xq"Y( modulo q) matrices, but 
that encryption and drawback of If 
decryption operate properly one of the 
without requiring the matrix 
parameters p and q to be positions is 
fixed. identified 

[41] GB_NTRU GB-NTRR generalizes It may allow 
NTRU Encrypt to a for the 
multivariate polynomial, selection of 
which in its system is a smaller f and g 
bivariate polynomial. GB- allowing for 
NTRU may be extended to a ; the selection of 

: ; Soe Lattice attack 
twisted group ring variation Z[X,Y] AE + Brute fi larger r and m. 
of NTRU, which contains (XN —1,Y" — 1) p-glfta ae 
NTRU defined by x N + 1 
and QTRU. It is a critical 
future task to explore the 
security of variation of 
NTRU in the broad 
framework 
[2], NNRU NNRU operates on the ring e Brute force NNRU is fully 
[42] of k by k polynomial attack, safe against 
; matrices in R. In comparison e Meet in the lattice attacks 

[43] to NTRU Encrypt, NNRU is middle and has a large 
considered to be more secure M,,.(Z)[X] h = wG,(modq) attack, speed boost. 
against lattice-based attacks. X” — Ikxk H = F,c(modq) e Multiple 
By setting N equal to n(k2), transmission 
NTRU Encrypt and NNRU attacks. 
have the same plaintext 
block size. 

[38] G_TRU NTRU Encrypt is The suggested 
generalized over a larger GTRU for IoT 
algebra than the Dedekind is more secure 
domain, D. GTRU's Lattice attack than NTRU. 
underlying algebra can be DIX] As a result, the 
non-commutative —_——— £08 GTRU for IoT 
(quaternion algebra or four- X= pate (fo ‘ a) 
dimensional algebra) or even 
non-associative (octonion 
algebra or algebra of 
dimension eight). 

[2], O_TRU The octonion variant of e Brute force OTRU design 

[24] NTRU Encrypt is proposed attack, and execution 

: by OTRU. e Meet in the will be simple, 

[23] OTRU's operation is based Z[X] middle attack, quick 
on a non-associative XN —1 H=Fr0G e Multiple dependable, 
octonion algebra, A:= Octonion algebra q transmission and cost- 
{ao (x) + Èl- aj(x)e; | (non-associative E Aq attack, effective. 
ao (x), =, A7(x) E R} algebra) e Message It slower than 
where R = Z[X]/(X" - 1) expansion original NTRU 


OTRU is 
faster than NTRU Encrypt 
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NO. Algorithm Principle Finite field /deg Public key Attacks Analysis 

Ref 

12 Q TRU NTRU Encrypt quaternion e Brute force œ It has a very 
3 version is presented. attack, complicated 

44 QTRU's operation (-1,-1) e Lattice attack, and secure 
j necessitates the use of a  Z[X]/(X" — 1) e Message fundamental 

[2], noncommutative quaternion Based on H= H*P mod q expansion structure. 

30 algebra, quaternion e Hard to be 
A H = {a + ib + jc + kd | a,b, algebra attack by 
31 Z, i? = j? =k? = ijk = —1}. LLL 
45 DB_TRU NTRU designs Encrypt over e Meet-in-the- DBTRU equals 
a ring of binary truncated middle attacks NTRU in speed 
polynomials with positive e Multiple DBTRU's 
integer coefficients that are transmission massage- 
dual special types, Ry [x] = attacks expansion 
GF(2)[x]/@" -1)|NeE GF (2)[x] h e Brute-force factors are 
Z+. DBTRU outperforms N1 |N = g * F, * SmodL attacks. somewhat 
NTRU Encrypt in terms of e Attack on f by greater than 
theoretical performance and using NTRU's. 
security. algebraic 
linear 
equations 
[11] E_TRU NTRU Encrypt is presented e Brute force The security of 
5 over the Eisenstein integer attack, NTRU, ETRU, 
[46] ring, Z[w] = {a+ wb | e Attack on the and GNTRU in 
F a,b EZ, į = —1,w = Z[w] [X] private key, terms of 
[47] e?'3) XV 1 e Meet in the decryption 
Pica in H= f*g mod q middle attack, es is very 
sens e Multiple similar. 
integers Z[W] transmission However, in the 
attack most recent 
security 
releases. 
[2], GR-NTRU NTRU is derived Over a e Brute force Among these 
[38] group ring, encrypt: attack, GR-NTRUs, 
Z[G] = {Xgec ag[g] | e Attack on the the original 
a, EL(Vg E G)}. GR- h. private key, NTRU and 
NTRU is less safe than =f"*'g'MODq Meet in the multivariate 
NTRU Encrypt, according Z[G][X] middle attack, © NTRU are the 
to the security comparison. pleat | f successful keys ¢ Multiple most secure. It 
are more than transmission is possible to 
1/1000 attacks, expand the 
Lattice attack encryption to a 
functional 
level. 

[48] BI_TRU Suggests NTRU Encrypt as an BITRU has four 

alternative to binary algebra, times the 

BNr- {a + bj | j? = 1,a,b € e Attackingon security of 

R} private key NTRU due to 

BITRU is a multidimensional the presence of 
cryptosystem that can encrypt Z[X] h = ġ fq mod (q) two public keys 
two independent XN —1 k = gą w mod (q) h,k and four 
communications from two polynomial 
different sources using two private keys. 
public keys, h and k. BITRU 
Encrypt has a higher level of 
security than NTRU Encrypt. 

[49] CQ_TRU NTRU Encrypt is presented e Brute Force -CQTRU allows 
over a commutative quaternion Attacks for small 
ring, e Lattice Attack polynomial 
A = {a + bi + cj + dk | a,b,c, dimensions while 

K,i? = a,j? = b, ij = k}. maintaining a 
CQTRU is capable of A[X] high ; level of 
encrypting and decrypting four x H = F: G mod q security. 
messages concurrently and is Aan -CQTRU has four 


immune to alternate key 
attacks, brute force attacks, 
and lattice attacks. CQTRU is 
a more secure encryption 
method than NTRU Encrypt. 


dimensions, so it 
can encrypt and 
decrypt four 
messages at same 
time 
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Table 3. NTRU Previous work with variant and our analysis (continue) 

NO. Algorithm Principle Finite field /deg Public key Attacks Analysis 

Ref 

[32] HXD_TRU NTRU is derived Encrypt e Brute Force The HXDTRU 
hexadecimal algebraically Attack is a 

15 e Alternate Keys multidimension 
P= {rot ` Tixi Attack al cryptosystem 
i=1 e Lattice based Capable of 
| ToTu Tis © K} Z[X] Attacks encrypting 
where: yi H=F GEY, messages of 
length 16N in a 
AA HXDTRU with an N- single round 
TE : , (i.e. sixteen 
dimensional array is sixteen 
times faster than NTRU MESSIES froni 
Encrypt with a 16-dimensional a singlesource, 
array. 
[42] ITRU NTRU Encrypt is presented e Brute force ITRU provides 
5 over the ring of integers attack, several 
[50] modulo n denoted by Z=nZ. (Z/nZ)[X] e Attack on the advantages over 
5 As the comparison in the key ~r private key, NTRU, 
[30] generation, ITRU is only xu 1 _ n e Meet in the including a 
required O h= pg/f € RÅ A : 
quire (N2) whereas : middle attack, | simpler 
: : Based on ideal > 
NTRU Encrypt is required O lattices parameter 
(N? (log? pt log? q)) È selection 
process, 
inevitability. 

[51] SQ_TRU Presents NTRU Encrypt over e Brute Force The present 
coquaternions (also known as Attack lattice attack 
spit quaternion algebra), which e Lattice based algorithms have 
is a new type of encryption 1-1) attacks a hard time 
over coquaternions. ao attacking it. 
H=(=Gtnitait  BVG"-D = F o G (modą) 

9346 qo» Iv qz, qs E R} where p, 
R = Z[x]/(x" — 1). 
[49] Pair_TRU In this step, will e Brute Force PairTRU, the 
; create an NTRU Attack cryptosystem is 

[52] Encrypt over the e Chosen resistant to 
non-commutative Ciphertext linear algebra 
matrix ring Attacks and Lattice- 
composed of k*k e Message based attacks. 
matrixes of Expansion PairTRU is 
polynomials for e Multiple based on the 
Z*Z and establish M(k,Z x Z)[x] h=w+*Gq,q)mod(, Transmission NTRU core and 
the NTRU Encrypt N ean Attack use two-sided 
over it. In Coe tiie)" — Cote tox, HS ea) *emod(g e Lattice Attack matrix 
comparison to multiplication. 
NTRU Encrypt, 

PairTRU is more 
resistant to linear 
algebra-based and 
lattice-based 
attacks. 

[53] D_NTRU The definition of the Brute force The D-NTRU 
truncated attacks PKC algorithm 
polynomial ring is uses a smaller 
introduced using the ciphertext 
NTRU Encrypt as a expansion than 
point of reference. the original 
To complete its NTRU 
security proof of hy algorithm and is 
IND-CPA Z[X] = (p Q fj more efficient 
(Indistinguishability XN —1 29) t than NTRU. 
under Chosen qı 
Plaintext Attack), hz <r Rg, 

DNTRU 
additionally makes 
use of another 
cryptosystem, 
namely C-NTRU, as 
an aid. 
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Table 3. NTRU Previous work with variant and our analysis (continue) 


NO. 
Ref 


Algorithm Principle Finite field /deg Public key Attacks Analysis 


[54] 


[52] 


D_TRU1 Designs on the ring e Brute force Provides the 
of dual integers (or attacks same degree of 
the ring with no h=p e Meet-in-the- security as 
divisors) are shown. t Middle attack NTRU while 
D= Z + eZ, €? = e Lattice attacks more secure 
At x“ -1 than NTRU, it 


. (f4 * g)(modq) is also less 
efficient. 
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